Snort mailing list archives

Re: Snort Alert Processing Survey

From: Jim Hranicky <jfh () ufl edu>
Date: Mon, 27 Mar 2017 14:59:38 -0400

We do SQL queries against the mySQL DB fed by barnyard2 to look
for events of interest.

I wrote a patch to barnyard 1 to send events to acid_event table
for when we were using BASE, but we gave up on BASE a long time
ago. I migrated the patch to barnyard2 and we still use that for
our queries. I also wrote a ruby script called "qids" that
can search based on ips, ports, signatures, payloads, etc.

I keep meaning to release these but I have to go through our
licensing division first, so I keep not :) If there's interest
I'll see about getting off my lazy butt and getting the
process started.

--
Jim Hranicky
Data Security Specialist
UF Information Technology
105 NW 16TH ST Room #104 GAINESVILLE FL 32603-1826
352-273-1341


On 03/14/2017 04:48 PM, m-one wrote:

1.  I'm wondering how the vast millions of Snort Users are monitoring
Snort alerts?  So please, let's here it -- how are you answering the
question is my Snort application effective?  Where do you look to
examine Snort Alerts?
2.  Re: [Snort-users] BASE 1.4.5 Non-Operational on Fedora 25.  Thanks
to Marcin's reply to my initial msg entitled "BASE 1.4.5 Non-
Operational on Fedora 25" & subsequently what I was going to ask
follows.  {Is there an expanded list of modern alternatives?  If not, I
must be missing something -- how are the vast majority of Snort users
monitoring alert info?  How many millions have DL'd Snort?  What are
they using?  Are they just looking at text based logs?  Are they
querying SQL DBs or what?  I hate the idea that I'm looking right past
the obvious...[grin]}


M-One

On Mon, 2017-03-13 at 23:49 +0100, Marcin Dulak wrote:

On Mon, Mar 13, 2017 at 9:34 PM, m-one <m-one () cox net> wrote:

1.  Help.  I've installed Snort v2.9.9.0 on Fedora 25 along with

Pulledpork & BASE v1.4.5.  All is operational except when I access
"htt

p://localhost/base/index.php" I get the actual contents of the file

"index.php". I was able to get php 5.6 from Remi repo, but I had

trouble finding PHP v5.6 compatible offerings of php-pear-Image-
Canvas,

php-pear-Image-Color, & php-pear-Image-Graph.  I did find *.rpm
files

for Fedora 23, but upon install the dependencies called for PHP 7.0
--

I did install, but got same result = actual contents of the file

"index.php".


T2.  Help.  Is the situation hopeless?  Should I move onto Sguil or

something else?  Any Fedora users running BASE or Sguil?


there is probably no hope for the legacy tools apart from those
included in 
https://urldefense.proofpoint.com/v2/url?u=https-3A__securityonion.net_&d=CwIGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=E6EfeY7SVRwuhtoo6tfdPZCRjVap8kdfUInSsh5Ogvg&s=XbS0ueACCc9avoBec3B39-VzjhR6_CfjDBF3Bb0VyLA&e=
   
For a modern alternative see 
https://urldefense.proofpoint.com/v2/url?u=https-3A__blog.jasonish.org_2014_04_16_sno&d=CwIGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=E6EfeY7SVRwuhtoo6tfdPZCRjVap8kdfUInSsh5Ogvg&s=EOy226SqPW3unJLlBR1mKjs_dM1LTZx9NV_smmXacSo&e=
 
rt-logstash-elastic-search-and-kibana/
Marcin






M-One



-----------------------------------------------------------------
-------------

Check out the vibrant tech community on one of the world's most

engaging tech sites, Slashdot.org! 
https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=CwIGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=E6EfeY7SVRwuhtoo6tfdPZCRjVap8kdfUInSsh5Ogvg&s=u0lLdJI6Ilh1g2JRMETrpMT8CRELNuCdTgZyuqlu59Q&e=
 

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_snort-2Dusers&d=CwIGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=E6EfeY7SVRwuhtoo6tfdPZCRjVap8kdfUInSsh5Ogvg&s=i-QcmMxs-Kan172ZQEQJEjjyJJ8-G0LT3PdofjjcxRU&e=
 

Snort-users list archive:

https://urldefense.proofpoint.com/v2/url?u=http-3A__sourceforge.net_mailarchive_forum.php-3Fforum-5Fname-3Dsnort-2Dusers&d=CwIGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=E6EfeY7SVRwuhtoo6tfdPZCRjVap8kdfUInSsh5Ogvg&s=pZjCa4nCBLJA-8EIqD0AZNBJLbXZb7GE8fhQ8tnPvX8&e=
 



Please visit 
https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.snort.org&d=CwIGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=E6EfeY7SVRwuhtoo6tfdPZCRjVap8kdfUInSsh5Ogvg&s=7m5jmdbIwaNdhtfUITRv-HDsc0lCfF03NI9uJPGMeZQ&e=
  to stay current on all the
latest Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=CwIGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=E6EfeY7SVRwuhtoo6tfdPZCRjVap8kdfUInSsh5Ogvg&s=u0lLdJI6Ilh1g2JRMETrpMT8CRELNuCdTgZyuqlu59Q&e=
 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_snort-2Dusers&d=CwIGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=E6EfeY7SVRwuhtoo6tfdPZCRjVap8kdfUInSsh5Ogvg&s=i-QcmMxs-Kan172ZQEQJEjjyJJ8-G0LT3PdofjjcxRU&e=
 
Snort-users list archive:
https://urldefense.proofpoint.com/v2/url?u=http-3A__sourceforge.net_mailarchive_forum.php-3Fforum-5Fname-3Dsnort-2Dusers&d=CwIGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=E6EfeY7SVRwuhtoo6tfdPZCRjVap8kdfUInSsh5Ogvg&s=pZjCa4nCBLJA-8EIqD0AZNBJLbXZb7GE8fhQ8tnPvX8&e=
 

Please visit 
https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.snort.org&d=CwIGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=4aPMDlSu2DhQqYRwad4wSw&m=E6EfeY7SVRwuhtoo6tfdPZCRjVap8kdfUInSsh5Ogvg&s=7m5jmdbIwaNdhtfUITRv-HDsc0lCfF03NI9uJPGMeZQ&e=
  to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Snort Alert Processing Survey, (continued)
- - - Re: Snort Alert Processing Survey James Lay (Mar 14)
    - Re: Snort Alert Processing Survey wkitty42 (Mar 15)
    - Re: Snort Alert Processing Survey Jack Pepper (Mar 15)
    - Re: Snort Alert Processing Survey Marcin Dulak (Mar 15)
    - Re: Snort Alert Processing Survey eagleliujin () 163 com (Mar 16)
    - Re: Snort Alert Processing Survey Gregory (Greg) Nowicki (Mar 21)
    - Snort Bridge in Snort-IPS-Tutorial.pdf B (Mar 26)
    - Bridging issue inline B (Mar 28)
    - Re: Bridging issue inline wkitty42 (Mar 28)
    - Message not available
    - Message not available
    - Re: Bridging issue inline B (Mar 29)
    - Re: Snort Alert Processing Survey Jim Hranicky (Mar 27)